Configuring TLS/SSL encryption

To configure TLS/SSL encryption:

• Configure the basic connection properties required for a connection:
  • Set the DatabaseName property to specify the name of the database to which you want to connect. Valid only on Db2 for Linux, UNIX, and Windows; Db2 Hosted; and Db2 Warehouse on Cloud
  • Set the LocationName property to specify the name of the Db2 location that you want to access. Valid only on Db2 for z/OS and Db2 for I.
  • Set the PortNumber property to specify the TCP port of the primary database server that is listening for connections to the database
  • Set the ServerName property to specify either the IP address in IPv4 or IPv6 format, or the server name (if your network supports named servers) of the primary database server.
• Set the EncryptionMethod property to SSL.
• For TLS/SSL server authentication, set the following properties or their corresponding Java system properties to specify the location and password of the truststore file.
  • TrustStore (javax.net.ssl.trustStore)
  • TrustStorePassword (javax.net.ssl.trustStorePassword)
• Optionally, set the CryptoProtocolVersion property to specify acceptable cryptographic protocol versions supported by your server. The default value is TLSv1.3.
• Optionally, set the ValidateServerCertificate property to true or false. When it is set to true, the driver validates the certificates sent by the database server. When it is set to false, the driver does not validate the certificates sent by the database server. The default value is true.
• Optionally, set the HostNameInCertificate property to a host name to be used to validate the certificate. The HostNameInCertificate property provides additional security against man-in-the-middle (MITM) attacks by ensuring that the server the driver is connecting to is the server that was requested.
• If your database server is configured for TLS/SSL client authentication, configure your keystore information:
  • Set the KeyStore and KeyStorePassword properties or their corresponding Java system properties (javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword, respectively) to specify the location and password of the keystore file.
  • If any key entry in the keystore file is password-protected, set the KeyPassword property to the key password.

The following examples configure the driver to use TLS/SSL server and client encryptions with user ID/password authentication.

Connection conn = DriverManager.getConnection 
("jdbc:datadirect:db2://myserver:50000;DatabaseName=payroll;
  EncryptionMethod=ssl;TrustStore=TrustStorePath;
  TrustStorePassword=secrettruststore;User=jsmith;
  Password=secret;);

Connection conn = DriverManager.getConnection 
("jdbc:datadirect:db2://myserver:50000;DatabaseName=payroll;
  EncryptionMethod=ssl;KeyStore=KeyStorePath;
  KeyStorePassword=secretkeystore;User=jsmith;
  Password=secret;);

Db2DataSource mds = new Db2DataSource();
mds.setDescription("My Db2 Data Source");
mds.setServerName("myserver");
mds.setPortNumber("50000");
mds.setDatabaseName("payroll");
mds.setEncryptionMethod("ssl");
mds.setTrustStore("TrustStorePath");
mds.setTrustStorePassword("secrettruststore");
mds.setUser("jsmith");
mds.setPassword("secret");

Db2DataSource mds = new Db2DataSource();
mds.setDescription("My Db2 Data Source");
mds.setServerName("myserver");
mds.setPortNumber("50000");
mds.setDatabaseName("payroll");
mds.setEncryptionMethod("ssl");
mds.setKeyStore("KeyStorePath");
mds.setKeyStorePassword("secretkeystore");
mds.setUser("jsmith");
mds.setPassword("secret");